Hybrid View

AV Catching Only a Few Attachments

Spent hours today looking for a solution and I'm pretty confused, so I hope this makes sense.

I am running ZCS 7.x
AV is set to not block encrypted attachments, PDFs generally come through fine.

Problem: Few, maybe 2 per week, non-encrypted PDFs, get marked as having a Virus, always from known and trusted individuals. Is there a way to whitelist just these known individuals and get these through?
— OR —
I would even be happy to be able to "release" these manually to the recipients, but the various methods described in these forums, don't work for me. The quarantined files do not show up in the /opt/zimbra/data/amavisd/quarantine folder. I can't find where Zimbra is putting these quarantined files that it notifies me of. The quarantine folder does have files, all starting with "badh" or "banned", but none that start with "virus", which is what the notification email tells me the filename will be.

Are locations different in ZCS 7? I've done full file searches for the virus filename and can't locate it. Are they stored in MySQL now?

Any way to "release" these or whitelist known users so their attachments always come through?

Sorry that this message isn't going to provide any help. I have the same/similar issue.

Release methods might work, but the problem is finding the message.

All messages in the /opt/zimbra/data/amavisd/quarantine folder start with badh- and then 12 alphanumeric characters. But, nothing in the message received is the same as any file in the quarantine. The message is in the inbox of the virus-quarantine user in Zimbra, but forwarding it fails (still gets virus scanned), and nothing in the header (even the X-Quarantine-ID matches anything in the names of the files in the quarantine folder.

The virus messages says something like:

VIRUS ALERT

Our content checker found
virus: Heuristics.Encrypted.PDF

in an email to you from probably faked sender:
?@[IP Address]
claiming to be: <user@domain.tld>